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Abstract 

We derive a Hoare-Floyd logic for non-localjumps and mutable higher-order procedural variables 
from a formulae-as-types notion of control for classical logic. The main contribution of this work is 
the design of an imperative dependent type system for non-localjumps which corresponds to classical 
logic but where the famous consequence rule is still derivable. 

Hoare-Floyd logics for non-local jumps are notoriously difficult to obtain, especially in the presence 
of local mutable variables Q- As far as we know, the question of proving the correctness of imperative 
programs which combine local mutable higher-order procedural variables and non-local jumps has not 
even been addressed. On the other hand, we know since Griffin's pioneering work [31 how to prove the 
correctness of (higher-order) functional programs with control in direct style, thanks to the formulae-as- 
types interpretation of classical logic. 

In AH, Chapter 3, we have thus extended the formulae-as-types notion of control to imperative pro- 
grams with higher-order procedural mutable variables and non-local jumps. Our technique, which was 
inspired by Landin's seminal paper [4], consists in defining an imperative dependent type system ID 
by translation into a functional dependent type system (which is actually Leivant's ML1P [5]). This 
imperative language, called LOOP 60 , was defined by the authors in |2ll . 

Similarly to ML1P, the imperative type system is parametrized by a first-order signature and an 
equational system <f which defines a set of functions in the style of Herbrand-Godel. The syntax of 
imperative types of ID (with dependent procedure types and dependent records) is the following: 

a, x : : = nat(«) | proc VT(in f ;out a) | 3T(ai , . . . , o n ) \n = m 

Typing judgements of ID have the form F;Cl h e : y if e is an expression and F;Cl h s > Q.' if s is a 
sequence, where environments T and CI corresponds respectively to immutable and mutable variables. 
Note that our type system is pseudo-dynamic in the sense that the type of mutable variables can change 
in a sequence and the new types are given by Cl' (as in 18]). For instance, here is the typing rule of the 
for loop: 

F;Cl,x : d[0/i] h e : nat(n) F,y : nat(/);x : d\- s> x: d[s(i)/i] 
T,Q.,x : B[0/i] h for y := until e {s}% > x : B[n/i] 



Embedding a Hoare-Floyd logic 

It is almost straightforward to embed a Hoare-Floyd logic into ID. Indeed, let us take a global mutable 
variable, dubbed assert, and let us assume that this global variable is simulated in the usual state-passing 
style (the variable is passed as an explicit in and out parameter to each procedure call). Consequently, 
any sequence shall be typed with a sequent of the form F;Cl, assert : (p h s > Cl', assert : y. If we 
now introduce the usual Hoare notation for triples (which hides the name of global variable assert), 
we obtain judgments of the form F;Q. h {(p}s \> Q.'{\j/}. Rules very similar to Hoare rules are then 
derivable: for instance, the type of assert corresponds to the invariant in a loop, and to the type of pre 
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and post conditions in a procedure type. The only rule which is not directly derivable is the well-known 

consequence rule: 

r-D,h{(p'}s\>D,'{\i/'} 

This rule deserves a specific treatment since no proof-term is required for the proof obligations. However, 
it is well-known that in intuitionistic logic the proof of some formulas have no computational content 
(they are called data-mute in Q). The consequence rule is thus derivable if we restrict (without loss of 
generality) the set of assertions to data-mute formulas. 

Non-local jumps 

The imperative language was then extended in (H with labels and non-local jumps. At the (dependent) 
type level, this extension (called ID C ) corresponds to an extension from intuitionistic logic to classical 
logic. For instance, the following typing rules for labels and jumps are derivable (where first-class labels 
are typed by the negation): 

T,k : -io;z : f h s > z : o T;Q.,z:o^rs't>Q! T;H,z:x\-k:^a r;£2,z : t h ?: a 
T\Q.,z : f hk: {sfe; s' > Q' r;H,z : % h jump(fc,e)? > z : %' 

However, deriving a Hoare-Floyd logic for non-local jumps is not straightforward since there is no ob- 
vious notion of data-mute formula in classical logic (as noted also in (6l), and thus the consequence 
rule is in general not derivable. The problem comes from the fact that, in presence of control operators, 
the proof-terms corresponding to proof-obligations may interact with the program. We shall exhibit an 
example of such program and we shall present a general solution to this problem which relies on the 
distinction between purely functional terms and imperative procedures (possibly containing non-local 
jumps). 
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